Telegram Todo List
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a scoped TODO.md manager that can read and persistently change one workspace todo file, with no evidence of hidden credential use, broad system access, or data exfiltration.
Install if you are comfortable with the agent reading and changing /root/.openclaw/workspace/TODO.md and showing its contents in the Telegram channel you use. Restrict Telegram access and keep a backup if the todo list is important.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A command can change or remove todo entries in the workspace TODO.md file.
The skill is explicitly designed to mutate TODO.md by adding, deleting, moving, editing, and completing tasks. This is purpose-aligned and scoped, but it is persistent file modification.
Behavior Options: Add new task; Delete task; Move task; Edit task; Batch operations ... /todo execute <task_number>
Use the organize and execute commands deliberately, and keep a backup if TODO.md contains important information.
If TODO.md is missing or hits certain read-error cases, the helper may create or replace it with the bundled default template.
The helper falls back to creating the default template after read errors, and template creation writes to the TODO file. This is disclosed in the skill text, but it means a read path can cause a file write.
except Exception as e: ... return create_default_template() ... write_todo(template)
Consider prompting before recreating an existing unreadable TODO.md, or keep a backup of the file.
Todo contents may be visible in the Telegram chat where the bot or agent responds.
The intended interface can display local TODO.md contents through a Telegram command channel. This is the stated purpose, but the artifacts do not describe chat/user access controls.
Manage a Todo List stored in TODO.md through Telegram bot commands ... Display current todo list with status
Use this only in private or restricted Telegram chats, and avoid storing secrets or highly sensitive information in TODO.md.